Skip to content

terraform-k8s-app

Known Vulnerabilities

Overview

Terraform module for deploying an application to a Kubernetes cluster.

Usage

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
module "terraform-k8s-app" {
  source = "git::https://github.com/sourcefuse/terraform-k8s-app.git"

  for_each              = local.k8s_apps
  app_label             = each.value.app_label
  container_image       = each.value.container_image
  container_name        = each.value.container_name
  container_port        = each.value.container_port
  deployment_name       = each.value.deployment_name
  namespace_name        = each.value.namespace_name
  port                  = each.value.port
  port_name             = each.value.port_name
  protocol              = each.value.protocol
  service_name          = each.value.service_name
  target_port           = each.value.target_port
  replica_count         = each.value.replica_count

  ## pvc
  persistent_volume_claim_enable           = try(each.value.persistent_volume_claim_enable, false)
  persistent_volume_claim_name             = try(each.value.persistent_volume_claim_name, null)
  persistent_volume_claim_labels           = try(each.value.persistent_volume_claim_labels, {})
  persistent_volume_claim_namespace        = try(each.value.persistent_volume_claim_namespace, null)
  persistent_volume_claim_resource_request = try(each.value.persistent_volume_claim_resource_request, {})

  environment_variables = each.value.environment_variables
}

locals {
  redis_host = "redis.${kubernetes_namespace.sourceloop_sandbox.metadata[0].name}.svc.cluster.local"
  k8s_apps = {
    redis_application = {
      app_label             = "redis"
      container_image       = var.redis_image
      container_name        = "redis"
      container_port        = 6379
      deployment_name       = "redis"
      namespace_name        = kubernetes_namespace.sourceloop_sandbox.metadata[0].name
      port                  = 6379
      port_name             = "6379"
      protocol              = "TCP"
      service_name          = "redis"
      target_port           = 6379
      replica_count         = 1
      environment_variables = []
    }
  }
}

Requirements

Name Version
terraform >= 1.4.4
kubernetes >= 2.0.0
time >= 0.7.2

Providers

Name Version
kubernetes 2.6.1
time 0.7.2

Modules

No modules.

Resources

Name Type
kubernetes_config_map.default resource
kubernetes_deployment.default resource
kubernetes_persistent_volume.default resource
kubernetes_persistent_volume_claim.default resource
kubernetes_secret.default resource
kubernetes_service.default resource
time_sleep.create_config resource

Inputs

Name Description Type Default Required
app_label Value for the app label used for label matching string n/a yes
config_map_binary_data Map of binary data for the config map. map(any) {} no
config_map_data Map of data for the config map. map(any) {} no
config_map_enabled Enable the Kubernetes config map. bool false no
config_map_name Name to give the config map. string null no
container_image Docker image for the k8s deployment string n/a yes
container_name Name of container for the k8s deployment string n/a yes
container_port Container port for the k8s deployment number n/a yes
container_resources_enabled Enable container resource limits / requests. bool false no
container_resources_limits Describes the maximum amount of compute resources allowed. For more info see http://kubernetes.io/docs/user-guide/compute-resources 
object({
    cpu    = string
    memory = string
  })
 
{
  "cpu": "0.5",
  "memory": "512Mi"
}
 no
container_resources_requests Describes the minimum amount of compute resources required. 
object({
    cpu    = string
    memory = string
  })
 
{
  "cpu": "250m",
  "memory": "50Mi"
}
 no
csi_secret_volumes List of maps of CSI volumes. These are used to dynamically generate the volume specs. 
list(object({
    volume_name = string,
    mount_path  = string,
    read_only   = bool,
    driver      = string,
    volume_attributes = object({
      secretProviderClass = string
    })
  }))
 [] no
deployment_name Name of the k8s deployment string n/a yes
enable_kubernetes_service Enable the kubernetes service. bool true no
env_secret_refs List of secretKeyRefs to add to ENV variables. 
list(object({
    env_var_name        = string,
    secret_key_ref_name = string,
    secret_key_ref_key  = string
  }))
 [] no
environment_variables List of maps for environment variables list(object({ name = string, value = string })) [] no
namespace_name Name of the k8s namespace string n/a yes
persistent_volume_access_modes Contains all ways the volume can be mounted. Valid values are ReadWriteOnce, ReadOnlyMany, ReadWriteMany. list(string) 
[
  "ReadWriteMany"
]
 no
persistent_volume_annotations An unstructured key value map stored with the persistent volume that may be used to store arbitrary metadata. map(any) {} no
persistent_volume_claim_access_modes A set of the desired access modes the volume should have. list(string) 
[
  "ReadWriteMany"
]
 no
persistent_volume_claim_annotations An unstructured key value map stored with the persistent volume claim that may be used to store arbitrary metadata. map(any) {} no
persistent_volume_claim_enable Enable a persistent volume claim. bool false no
persistent_volume_claim_labels Map of string keys and values that can be used to organize and categorize (scope and select) the persistent volume claim. May match selectors of replication controllers and services. map(any) {} no
persistent_volume_claim_name Name of the persistent volume claim, must be unique. Cannot be updated. string null no
persistent_volume_claim_namespace Namespace defines the space within which name of the persistent volume claim must be unique. string null no
persistent_volume_claim_resource_limits Map describing the maximum amount of compute resources allowed. map(string) {} no
persistent_volume_claim_resource_request Map describing the minimum amount of compute resources required. map(string) 
{
  "storage": "5Gi"
}
 no
persistent_volume_claim_storage_class_name Name of the storage class requested by the claim. string null no
persistent_volume_claim_volume_name The binding reference to the PersistentVolume backing this claim. string null no
persistent_volume_enable Enable a persistent volume. bool false no
persistent_volume_labels Map of string keys and values that can be used to organize and categorize (scope and select) the persistent volume. May match selectors of replication controllers and services. map(any) {} no
persistent_volume_name Name of the persistent volume, must be unique. Cannot be updated. string null no
persistent_volume_reclaim_policy What happens to a persistent volume when released from its claim. Valid options are Retain (default), Delete and Recycle. Recycling must be supported by the volume plugin underlying this persistent volume. string "Delete" no
persistent_volume_secret_provider_class Name of the secret provider class for CSI driver volume mounts for secret string null no
persistent_volume_secrets_driver Driver for persistent volume. Defaults to CSI driver setting string "secrets-store.csi.k8s.io" no
persistent_volume_storage_size Persistent volume size. string "1Gi" no
port k8s service port number n/a yes
port_name Name of the service port string n/a yes
protocol k8s service protocol string n/a yes
replica_count k8s Deployment replica count number n/a yes
secret_annotations An unstructured key value map stored with the secret that may be used to store arbitrary metadata. map(any) null no
secret_data A map of the secret data. map(any) {} no
secret_enable Enable Kubernetes secrets resource. bool false no
secret_labels Map of string keys and values that can be used to organize and categorize (scope and select) the secret. map(any) {} no
secret_name Name of the secret, must be unique. Cannot be updated. string null no
secret_namespace Namespace defines the space within which name of the secret must be unique. string null no
secret_type The secret type. Defaults to Opaque. See https://kubernetes.io/docs/concepts/configuration/secret/#secret-types for the different types. string "Opaque" no
service_account_name Name of the service account to be used for this deployment. string null no
service_name Name of the k8s service string n/a yes
target_port k8s service target port number n/a yes

Outputs

Name Description
host n/a
service_name n/a
service_port n/a

Development

Prerequisites

Configurations

Tests

Tests are available in test directory located in the root of this project.

Adding a new test

When something new has been added to the terraform example configuration, it needs to be updated to include testing. This can be achieved by adding the test to test/example_test.go.

  • For more information on Terratest, please see their Getting Started docs.
  • For more information on k8s testing, see the k8s docs.

Running with Docker

The following instructions will be done from the root of the project.

  • Build the image locally: 
    1
    docker build -t terraform-k8s-app-test -f Dockerfile-test .
  • Start the container: 
    1
    docker run -it -v $HOME/.kube/config:/home/tester/.kube/config:ro --net=host  terraform-k8s-app-test

Running on the local system

TL;DR: From the test directory, run go-test.sh to get all requirements and run a test.

  • Configure golang deps for tests 

    1
2
3
4
5
    go get github.com/gruntwork-io/terratest/modules/terraform
go get github.com/gruntwork-io/terratest/modules/k8s
go get github.com/stretchr/testify/assert
go get testing
go get fmt

    -OR-

    1
    ./go-get.sh

  • From the test directory, run the below command: 

    1
    go test

    -OR-

    1
    ./go-test.sh

Requirements

No requirements.

Providers

Name Version
kubernetes 2.6.1
time 0.7.2

Modules

No modules.

Resources

Name Type
kubernetes_config_map.default resource
kubernetes_deployment.default resource
kubernetes_persistent_volume.default resource
kubernetes_persistent_volume_claim.default resource
kubernetes_secret.default resource
kubernetes_service.default resource
time_sleep.create_config resource

Inputs

Name Description Type Default Required
app_label Value for the app label used for label matching string n/a yes
config_map_binary_data Map of binary data for the config map. map(any) {} no
config_map_data Map of data for the config map. map(any) {} no
config_map_enabled Enable the Kubernetes config map. bool false no
config_map_name Name to give the config map. any null no
container_image Docker image for the k8s deployment string n/a yes
container_name Name of container for the k8s deployment string n/a yes
container_port Container port for the k8s deployment number n/a yes
container_resources_enabled Enable container resource limits / requests. bool false no
container_resources_limits Describes the maximum amount of compute resources allowed. For more info see http://kubernetes.io/docs/user-guide/compute-resources 
object({
    cpu    = string
    memory = string
  })
 
{
  "cpu": "0.5",
  "memory": "512Mi"
}
 no
container_resources_requests Describes the minimum amount of compute resources required. 
object({
    cpu    = string
    memory = string
  })
 
{
  "cpu": "250m",
  "memory": "50Mi"
}
 no
csi_secret_volumes List of maps of CSI volumes. These are used to dynamically generate the volume specs. 
list(object({
    volume_name = string,
    mount_path  = string,
    read_only   = bool,
    driver      = string,
    volume_attributes = object({
      secretProviderClass = string
    })
  }))
 [] no
deployment_name Name of the k8s deployment string n/a yes
enable_kubernetes_service Enable the kubernetes service. bool true no
env_secret_refs List of secretKeyRefs to add to ENV variables. 
list(object({
    env_var_name        = string,
    secret_key_ref_name = string,
    secret_key_ref_key  = string
  }))
 [] no
environment_variables List of maps for environment variables list(object({ name = string, value = string })) [] no
namespace_name Name of the k8s namespace string n/a yes
persistent_volume_access_modes Contains all ways the volume can be mounted. Valid values are ReadWriteOnce, ReadOnlyMany, ReadWriteMany. list(string) 
[
  "ReadWriteMany"
]
 no
persistent_volume_annotations An unstructured key value map stored with the persistent volume that may be used to store arbitrary metadata. map(any) {} no
persistent_volume_claim_access_modes A set of the desired access modes the volume should have. list(string) 
[
  "ReadWriteMany"
]
 no
persistent_volume_claim_annotations An unstructured key value map stored with the persistent volume claim that may be used to store arbitrary metadata. map(any) {} no
persistent_volume_claim_enable Enable a persistent volume claim. bool false no
persistent_volume_claim_labels Map of string keys and values that can be used to organize and categorize (scope and select) the persistent volume claim. May match selectors of replication controllers and services. map(any) {} no
persistent_volume_claim_name Name of the persistent volume claim, must be unique. Cannot be updated. any null no
persistent_volume_claim_namespace Namespace defines the space within which name of the persistent volume claim must be unique. any null no
persistent_volume_claim_resource_limits Map describing the maximum amount of compute resources allowed. map(string) {} no
persistent_volume_claim_resource_request Map describing the minimum amount of compute resources required. map(string) 
{
  "storage": "5Gi"
}
 no
persistent_volume_claim_storage_class_name Name of the storage class requested by the claim. any null no
persistent_volume_claim_storage_size Map describing the minimum amount of compute resources required. any null no
persistent_volume_claim_volume_name The binding reference to the PersistentVolume backing this claim. any null no
persistent_volume_enable Enable a persistent volume. bool false no
persistent_volume_labels Map of string keys and values that can be used to organize and categorize (scope and select) the persistent volume. May match selectors of replication controllers and services. map(any) {} no
persistent_volume_mount_path Path to mount the persistent volume for secrets string "/mnt/secrets-store" no
persistent_volume_name Name of the persistent volume, must be unique. Cannot be updated. any null no
persistent_volume_reclaim_policy What happens to a persistent volume when released from its claim. Valid options are Retain (default), Delete and Recycle. Recycling must be supported by the volume plugin underlying this persistent volume. string "Delete" no
persistent_volume_secret_provider_class Name of the secret provider class for CSI driver volume mounts for secret string null no
persistent_volume_secrets_driver Driver for persistent volume. Defaults to CSI driver setting string "secrets-store.csi.k8s.io" no
persistent_volume_storage_path Path of the directory on the host. any null no
persistent_volume_storage_size Persistent volume size. string "1Gi" no
port k8s service port number n/a yes
port_name Name of the service port string n/a yes
protocol k8s service protocol string n/a yes
replica_count k8s Deployment replica count number n/a yes
secret_annotations An unstructured key value map stored with the secret that may be used to store arbitrary metadata. any null no
secret_data A map of the secret data. map(any) {} no
secret_enable Enable Kubernetes secrets resource. bool false no
secret_labels Map of string keys and values that can be used to organize and categorize (scope and select) the secret. map(any) {} no
secret_name Name of the secret, must be unique. Cannot be updated. any null no
secret_namespace Namespace defines the space within which name of the secret must be unique. any null no
secret_type The secret type. Defaults to Opaque. See https://kubernetes.io/docs/concepts/configuration/secret/#secret-types for the different types. string "Opaque" no
service_account_name Name of the service account to be used for this deployment. any null no
service_name Name of the k8s service string n/a yes
target_port k8s service target port number n/a yes

Outputs

Name Description
host n/a
service_name n/a
service_port n/a

Authors

This project is authored by: * SourceFuse ARC Team